Re: Antwort: INSERT with raw_sql_query returns error

From: Mike Kienenberger (mkienen..mail.com)
Date: Wed Aug 25 2010 - 14:21:55 UTC

Next message: Victor Antonovich: "Re: Queries against to-many relationships with 'NOT' subexpressions"

Previous message: Victor Antonovich: "Re: Escaping of characters in like/likeIgnoreCase expressions"
In reply to: Nikos Paraschou: "Re: Antwort: INSERT with raw_sql_query returns error"
Next in thread: Nikos Paraschou: "Re: Antwort: INSERT with raw_sql_query returns error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just be careful what input you accept for "columns." This could lead
to an SQL injection attack if the end-user has any control over the
contents of "columns" since you are now bypassing the prepared
statement parameter binding. The same is also true for table and schema.

On Wed, Aug 25, 2010 at 3:35 AM, Nikos Paraschou <niparas..mail.com> wrote:
> Andrus, you gave the answer one minute just before I post:
>
> ("columns" will have to be a comma-separated String) (not an ArrayList)
>
> I'll try that out.
>
> Thank you,
> Nikos
>
> On 25/8/2010 10:29 πμ, Andrus Adamchik wrote:
>>
>> Exactly. However something like that may work ("columns" will have to be a
>> comma-separated String) :
>>
>> insert into $schema.$table ($columns) values(#bind($values))
>>
>> Andrus
>>
>> On Aug 25, 2010, at 7:46 AM, patrick.maywe..i-de.com wrote:
>>
>>> Hi Nikos,
>>> the #bind variables are replaced by PreparedStatement parameters and DB2
>>> does not allow parameter for column names.
>>> Regards,
>>> Patrick
>>>
>>>
>>>
>>>
>>> Nikos Paraschou<niparas..mail.com>
>>> 24.08.2010 23:00
>>> Bitte antworten an
>>> use..ayenne.apache.org
>>>
>>>
>>> An
>>> use..ayenne.apache.org
>>> Kopie
>>>
>>> Thema
>>> INSERT with raw_sql_query returns error
>>>
>>>
>>>
>>>
>>>
>>>
>>> Hello,
>>>
>>> I have created the following raw sql query inside Cayenne Modeler:
>>>
>>> insert into $schema.$table (#bind($columns)) values(#bind($values))
>>>
>>> To run it from a java application I use this code:
>>>
>>> String[] keys = new String[] {"schema", "table", "columns", "values"};
>>> Object[] values = new Object[] {schema, table, columnNames,
>>> columnValues};
>>> NamedQuery query = new NamedQuery("myQuary", keys, values);
>>> context.performQuery(query);
>>>
>>> columnNames and columnValues are both ArrayLists. The binding of the
>>> values to their keys seems to work fine (according to the log messages
>>> when the query is run). Unfortunately, I keep getting a
>>> CayenneRuntimeException caused by:
>>>
>>> com.ibm.db2.jcc.am.SqlException: DB2 SQL Error: SQLCODE=-727,
>>> SQLSTATE=56098, SQLERRMC=2;-104;42601;(?,?,?,?,?,?,?,?,?,?,?,?,?)
>>> values|AL_STATS_WITH_ID_WCT|<, DRIVER=3.57.82
>>>
>>> Am I doing something wrong? I am using Cayenne version 3.
>>>
>>> Thank you,
>>> Nikos
>>>
>
>

Next message: Victor Antonovich: "Re: Queries against to-many relationships with 'NOT' subexpressions"
Previous message: Victor Antonovich: "Re: Escaping of characters in like/likeIgnoreCase expressions"
In reply to: Nikos Paraschou: "Re: Antwort: INSERT with raw_sql_query returns error"
Next in thread: Nikos Paraschou: "Re: Antwort: INSERT with raw_sql_query returns error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2.0.0 : Wed Aug 25 2010 - 14:22:47 UTC